New England Cybersecurity And Data Privacy Class Action Filings Soar In 2023 – Class Actions | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

To print this article, all you need is to be registered or login on

Earlier in 2023, we launched our New England and First Circuit Class Action
Tracker, as a tool to analyze class action litigation trends in
Massachusetts, Maine, New Hampshire, and Rhode Island. In July, we
updated our tracker to include data through the second quarter of
2023. A review of new filings submitted during that latest quarter
reinforces the trends that we recently observed in our client alert on the enforcement of U.S.
Consumer Data Privacy laws through private litigation. Namely, we
are seeing record-high levels of data privacy and cybersecurity
class action filings, particularly in Massachusetts courts, in the
first half of 2023.

Data privacy and cybersecurity class action suits continue to
represent the largest share of annual class action filings in New
England to date. Although the healthcare sector continues to
represent the largest share of defendants, other sectors, such as
tech, retail and manufacturing, and financial and professional
services industries are also experiencing high rates of
cybersecurity and data privacy class actions. In this post, we
highlight two major trends that we see based on a review of the
actions included in our most recent update.

Cyber Attacks Resulted in Copycat Complaints

Second quarter filings provide further evidence that a single
cyber-attack can result in a barrage of class action complaints for
affected businesses. Of the eighty actions filed in or removed to
the District of Massachusetts in the second quarter, twenty-six (or
33% of the total) correspond to five cyber-attacks against five
separate entities, three of which operate in the healthcare sector.
One cyber-attack in particular, against a large Boston-based health
insurer, is the source of eleven separate class action

There are striking similarities in the structure, content and
allegations within these related complaints. Nearly every complaint
includes a breach of duty under a negligence theory as the first
count; many include negligence per se as a second count.
The source of the duty is often grounded in the relationship
between the affected individual and the defendant (for example,
insured and insurer). In every case, the section relating to breach
includes a reference to the Federal Trade Commission’s
position, famously litigated in LabMD, Inc. v. Federal Trade
, that the failure to adopt reasonable cyber
security measures is an unfair trade practice. In many cases,
additional references can be found to the HIPAA Security and Breach Notification Rules (where applicable),
to state security and data breach notification laws, to state
consumer protection acts, and to industry standards such as the NIST
Cybersecurity Framework.

Additional claims align to those often seen in other
cybersecurity and privacy class action complaints, including breach
of contract, breach of implied contract, and violations of state
unfair and deceptive trade practice acts, especially where such
acts allow for a private right of action. However, some complaints
include less common theories for relief such as unjust enrichment,
breach of third-party beneficiary contract, bailment, and negligent
misrepresentation. Thus, these cases provide helpful guidance to
potential defendants about the types of claims they are likely

Alleged Harms Likely to Encounter Continued Article III

Most complaints define the harm to affected individuals as a
heightened risk of fraud and identity theft and costs and time
incurred to protect against such theft through credit monitoring,
reports, freezes and other protective measures.

As we discussed in a November, 2021 post regarding a case in the
District Court of Massachusetts, Webb v. Injured Workers Pharmacy,
, many courts have been skeptical towards the idea that
the costs incurred and time spent to protect oneself against the
potential future misuse of compromised personal information are, in
themselves, sufficient to establish concrete injury for purposes of
Article III standing. However, the First Circuit’s reversal of the District
Court’s decision in Webb may be the first sign that
such skepticism is waning. In our most recent post, we discussed the First
Circuit’s decision in detail. The First Circuit held that
actual misuse of personally identifiable information is in itself a
concrete injury, even absent monetary or other direct harm.
Further, the First Circuit agreed with the plaintiffs that lost
professional time expended to monitor accounts to protect against
future identity theft constitutes a concrete injury.

By potentially expanding the scope of concrete injury within the
context of a cyber-attack to include scenarios short of economic or
direct harm and preventative measures such as lost professional
time or monitoring costs, the First Circuit may have created a
wider opening for plaintiffs to survive an initial motion to
dismiss for lack of standing. Nonetheless, the precise scope of
non-economic harms and preventative expenditures that satisfy
standing has yet to be determined; accordingly, cases in the
interim will likely continue to be decided on a fact-specific
basis, with defendants mounting challenges based on Article III

We will continue to monitor these cases for further developments
and publish an update to our New England and First Circuit Class Action
Tracker at the close of the third quarter of 2023.

Thank you to firm summer associate Mark Sayre for his
contribution to this alert.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Litigation, Mediation & Arbitration from United States


Click Here For The Original Source.

National Cyber Security